b'                         OFFICE OF INSPECTOR GENERAL\n                        CORPORATION FOR NATIONAL AND\n                             COMMUNITY SERVICE\n\n\n\n                              Independent Audit Report of\n                               Office of Inspector General\n                   Review of Corporation for National and Community\n                   Service Implementation of the Federal Information\n                                Security Management Act\n                                  For Fiscal Year 2003\n\n                               OIG Audit Report Number 03-25\n                                     August 21,2003\n\n\n\n\n                                           Prepared by:\n\n                             Richard S. Carson & Associates, Inc.\n                              4720 Montgomery Lane, Suite 800\n                                 Bethesda, MD 208 14-3444\n\n\n\n\nThis report was issued to Corporation management on September 18, 2003. Under the laws and\nregulations governing audit follow up, the Corporation must make final management decisions on the\nreport\'s findings and recommendations not later than March 18, 2004, and complete its corrective\nactions by September 18,2004. Consequently, the report findings do not necessarily represent the final\nresolution of the issues presented.\n\x0c                                                                                 Independent Audit Report\n               Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\n\n\nRichard S. Carson & Associates, Inc. (Carson Associates), on behalf of the Office of Inspector\nGetleral (OIG) of the Corporation for National and Community Service (CNCS), completed this\nIndependent Audit Report. The Lndependent Audit Report provides findings and conclusions\nand, when applicable, identifies problem areas and makes recommendations for resolution.\n\nOn December 17, 2002, President George W. Bush signed into law the E-Government Act of\n2002 (Pub. L. No. 107-347), which includes Title 111, the Federal Information Security\nManagement Act of 2002 (FISMA). The FISMA permanently reauthorized the framework laid\nout in the Government Information Security Reform Act of 2000 (GISRA), which expired in\nNovember 2002. The FISMA outlines the information security management requirements for\nagehcies, including the requirement for annual review and independent assessment by agency\ninspectors general. In addition, FISMA includes new provisions aimed at further strengthening\nthe security of the Federal government\'s information and information systems, such as the\ndevielopment of minimum standards for agency systems. The annual assessments provide\nagehcies with the information needed to determine the effectiveness of overall security programs\nand to develop strategies and best practices for improving information security.\n\nThe independent audit comprises four elements: evaluation of CNCS\'s information security\nprogram, evaluation of CNCS progress towards correcting weaknesses addressed within the 2002\nPlan of Action and Milestones (POA&Ms), review of Corporation self-assessments and\nverification and testing of information security controls for four representative information\nsystems. The results of the independent audit address the problems identified during the\nevaluation. The major findings from the report are summarized in the Results in Brief.\n\n\n\nThe objectives of the independent audit of CNCS\'s information security program were to:\n\n        Test the effectiveness of information security policies, procedures and practices of a\n        representative subset of the agency\'s information systems;\n        Assess compliance with FISMA and related information security policies, procedures,\n        standards and guidelines; and\n        Conduct follow-up assessment of agency progress in correcting weaknesses identified in\n        prior GISRAIFISMA evaluations, including those weaknesses listed in the Fiscal Year\n        (FY) 2002 POA&M.\n\n\n\nCNCS has taken a number of steps during the past year to enhance its security program and\naddress issues identified in the 2002 GISRA report. These enhancements are as follows:\n\n        Hardware and software have been acquired and installed to provide Continuity of\n        Operations (COOP) for the e-Grants system.\n\n        The COOP has been successfully tested for e-Grants, with full capability anticipated by\n        the end of this fiscal year.\n\x0c                                                                                Independent Audit Report\n              Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\n       Certification and Accreditations (C&As) were completed for all major applications (MA)\n       during this reporting period.\n\n       Improvements have been made to the test planning and execution process. Efforts are\n       ongoing to integrate these improvements into the formal Systems Development Lifecycle\n       (SDLC) methodology.\n\n       CNCS maintains a very effective security awareness program; all employees and\n       contractors (requiring system access) undergo annual security awareness training.\n\n       Configuration Management (CM) policies include extensive work in the tracking of\n       hardware inventory and software licensing, as well as the use of automation tools to track\n       system level configurations for desktop deployment and configuration control.\n\nNotwithstanding the improvements stated above, some areas showed little progress toward\nremediation andlor did not adhere to Office of Management and Budget (OMB) A 4 3 0 guidance.\nThese areas were identified as problems.\n\n       The lack of system-level rules of behavior for the Electronic-System for Program\n       Agreements and National Service Participants (E-SPAN) and Electronic-Grants (e-\n       Grants) were identified as a weakness in last year\'s GISRA assessment, but have not\n       been documented or addressed to date. While there are a variety of policies and\n       procedures for system users and many cover "rules" that affect applicable systems,\n       Program Officials have not defined system-specific rules as required by OMB A-130.\n\n       The 2002 GISRA report stated that a summary of major system security plans was not\n       included in the Corporation\'s Information Management (IM) Strategic Plan. This item is\n       identified in the agency-wide POA&M but, to date, has not been included in the IM\n       Strategic Plan. However, during an August 2003 interview with the Deputy Chief\n       Information Officer (Deputy CIO), it was determined that this weakness is now being\n       addressed and should be resolved upon publication of the revised plan this year.\n\n       The Corporation has a stated policy to perform complete C&A processes for all major\n       systems each year (versus every three years or whenever a major system change occurs),\n       rather than performing annual tests and evaluations as defined in OMB A-130. However,\n       there is no documented policy within CNCS stating annual System Test and Evaluation\n       (ST&E) and risk-assessment processes will be accomplished as a part of C&A.\n\n       The Corporation\'s corrective action process needs to be improved to ensure that all\n       Information Technology (IT) security weaknesses are identified on system-level\n       POA&Ms and that the Program Officials and the OIG track and support resolution of\n       these actions in a pro-active, collaborative way. The Corporation\'s Deputy CIO and OIG\n       maintain a variety of tracking systems and maintain their own processes. However, the\n       POA&M process, as described by OMB A-130 and recent FISMA reporting guidance\n       issued August 6, 2003, is not the Corporation\'s authoritative management tool for\n       tracking IT security weaknesses.\n\n       The Corporation identifies their major systems in a variety of methods, such as Exhibit\n       300s, Security Plans and the IM Strategic Plan. However, there is no single source for\n       maintaining the Corporation\'s inventory of major systems and their inter-connections\n\x0c                                                                                Independent Audit Report\n              Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\n       with other systems. The resulting condition is a lack of reconciliation between\n       documents and reporting methods concerning the official list of major systems within\n       CNCS.\n\n\n\nBased on these findings, the audit team has made a number of recommendations to strengthen\nCNCS\'s security program. The list of recommendations made to CNCS is consolidated at page\n11.\n\n\n\nAt an exit conference held on August 21, 2003, CNCS officials generally agreed with the\nfindings. The comments provided by CNCS and OIG officials on August 26, 2003, have been\nincorporated in the report where appropriate.\n\nUpon review of the draft report, CNCS officials provided a formal response to the report and\nrecommendations contained therein. This response is provided at Appendix C.\n\n\n\n\n                                                                                                      iii\n\x0c                                                                                   Independent Audit Report\n                 Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nAIS        Automated Information Systems\n\nBCCP       Business ContinuityIContingency Plan\n\nC&A        Certification and Accreditation\nCASE       Computer-Aided Software Engineering\nCCB        Configuration Control Board\nCFO        Chief Financial Officer\nCIO        Chief Information Officer\nCM         Configuration Management\nCNCS       Corporation for National and Community Service\nCOOP       Continuity of Operations Plan\nCOTS       Commercial Off-the-shelf Software\n\nDMZ        Demilitarized Zone\nDNS        Domain Name Service\nDO1        Department of Interior\nDRS        Disaster Recovery Site\n\nE-GRANTS   Electronic-Grants\nE-SPAN     Electronic-System for Program Agreements and National Service Participants\n\nFPS        Federal Protection Service\nFISCAM     Federal Information System Controls Audit Manual\nFedCIRC    Federal Computer Incident Response Center\nFISMA      Federal Information Security Management Act\nFY         Fiscal Year\n\nGAGAS      Generally Accepted Government Auditing Standards\nGAO        U.S. General Accounting Office\nGISRA      Government Information Security Reform Act\nGSS        General Support Systems\n\nIG         Inspector General\nISACA      Information Systems Audit & Control Association\nISSO       Information Systems Security Officer\nIM         Information Management\nIP         Internet Protocol\nIRM        Information Resource Management\nIT         Information Technology\n\nLAN         Local Area Network\n\nMA          Major Application\nMOA         Memorandum of Agreement\nMOU         Memorandum of Understanding\nMPD         Washington Metropolitan Police Department\n\x0c                                                                                    Independent Audit Report\n--     -\n                  Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nNBC        National Business Center\nNIST       National Institute of Standards and Technology\n\nOIG        Office of the Inspector General\nOIT        Office of Information Technology\nOMB        Office of Management and Budget\n0s         Operating System\nOWA        Outlook Web Access\n\nPOA&M      Plan of Action and Milestones\n\nRPC        Remote Procedure Call\n\nSAINTTM    System Administrator\'s Integrated Network Tool\nSAS 70     Statement on Auditing Standards (SAS) No. 70\nSDLC       Systems Development Lifecycle (SDLC)\nSR         Security Incident Report\nSLA        Service Level Agreement\nSNMP       Simple Network Management Protocol\nSP         Special Publication\nST&E       System Test and Evaluation\n\nWBRS       Web-based Reporting System\n\x0c                                                                                                    lndependent Audit Report\n                                  Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nTABLE OF CONTENTS\n\n\n\n\nPurpose ...................................................................................................................................1\n\nIndependent Audit .................................................................................................................... 1\n        Agency Risk Assessments ..................................................................................................................                2\n              Conclusions and Findings .......................................................................................................................2\n              Recommendations ................................................................................................................................... 2\n        Security Policies and Procedures ........................................................................................................                 2\n              Conclusions and Findings .......................................................................................................................2\n              Recommendations ................................................................................................................................... 3\n        System Security Plans ....................................................................................................................... 3\n              Conclusions and Findings .....................................................................................................................3\n              Recommendations ...................................................................................................................................4\n        Security Awareness and Training .......................................................................................................                   4\n              Conclusions and Findings .......................................................................................................................4\n              Recommendations ................................................................................................................................... 4\n        Annual Testing and Evaluation ...........................................................................................................                 4\n              Conclusions and Findings ....................................................................................................................... 4\n              Recommendations ................................................................................................................................... 6\n        Corrective Action Process ...................................................................................................................             6\n              Conclusions and Findings ....................................................................................................................... 6\n              Recommendations ................................................................................................................................... 8\n        Security Incident Reporting ................................................................................................................              8\n              Conclusions and Findings .......................................................................................................................8\n              Recommendations................................................................................................................................... 8\n        Continuity of Operations ....................................................................................................................             9\n              Conclusions and Findings ....................................................................................................................... 9\n              Recommendations ................................................................................................................................... 9\n        Configuration Management ................................................................................................................                 9\n              Conclusions and Findings .......................................................................................................................9\n              Recommendations ................................................................................................................................. 10\nConsolidated List of Recommendations ...........................................................................11\n\nResponse to Agency Comments........................................................................................... 12\n\n\nAppendices\n\n        Appendix A:                 Objective. Scope and Methodology .....................................................................\n                                                                                                                                       13\n        Appendix B:                 Executive Summary for Office of Management and Budget (OMB) ..................15\n        Appendix C:                 Agency Response to the OIG FISMA Report ...................................................        16\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nBackground\n\nRichard S. Carson & Associates, Inc. (Carson Associates), on behalf of the Office of Inspector General\n(OIG) of the Corporation for National and Community Service (CNCS), completed this Independent\nAudit Report. The Independent Audit Report provides findings and conclusions and, when applicable,\nidentifies problem areas and makes recommendations for resolution.\n\nOn December 17, 2002, President George W. Bush signed into law the E-Government Act of 2002 (Pub.\nL. No. 107-347), which includes Title 111, the Federal Information Security Management Act of 2002\n(FISMA). The FISMA permanently reauthorized the framework laid out in the Government Information\nSecurity Reform Act of 2000 (GISRA), which expired in November 2002. The FISMA outlines the\ninformation security management requirements for agencies, including the requirement for annual review\nand independent assessment by agency inspectors general. In addition, FISMA includes new provisions\naimed at further strengthening the security of the Federal government\'s information and information\nsystems, such as the development of minimum standards for agency systems. The annual assessments\nprovide agencies with the information needed to determine the effectiveness of overall security programs\nand to develop strategies and best practices for improving information security.\n\nThe independent audit comprises four elements: evaluation of CNCS\'s information security program,\nevaluation of CNCS progress towards correcting weaknesses addressed within the 2002 Plan of Action\nand Milestones (POA&Ms), review of Corporation self-assessments, and verification and testing of\ninformation security controls for four representative information systems. The results of the independent\naudit are presented in a separate Independent Audit Report that presents a number of recommendations to\naddress the problems identified during the evaluation. The major findings from the report are\nsummarized in the Results in Brief.\n\nPurpose\n\nThe objectives of the independent audit of CNCS\'s information security program were to:\n\n        Test the effectiveness of information security policies, procedures and practices of a\n        representative subset of the agency\'s information systems;\n        Assess compliance with FISMA and related information security policies, procedures, standards\n        and guidelines; and\n        Conduct follow-up assessment of agency progress in correcting weaknesses identified in prior\n        GISRAIFISMA evaluations, including those weaknesses listed in the fiscal year 2002 POA&M.\n\nThis audit report is a stand-alone document and also serves as the authoritative source for the Executive\nSummary to the Office of Management and Budget.\n\nThe audit was conducted in accordance with Generally Accepted Government Auditing Standards. All\napplicable standards were followed.\n\nlndependent Audit\n\nThe information contained in this section provides the findings from research, analysis and assessment of\nthe Corporation\'s information security program. Compliance with security standards prescribed by\nOMB, the National Institute of Standards and Technology (NIST) and related authoritative policies,\nprocedures, standards and guidelines (criteria), where applicable, will be cited when describing a specific\nfinding (condition). When appropriate, root cause and affect will be included in the discussion. Lastly,\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nrecommendations will also be made for any weaknesses andlor deficiencies noted.                           These\nrecommendations are intended to assist CNCS in determining the corrective action needed.\n\nAgency Rlisk Assessments\n\nConclusions and Findings\n\nThe Corporation\'s major system security plans have all undergone risk assessments, as part of\ntheir Certiification and Accreditation (C&A) processes, within the last year. OMB A-130 requires\nthat Federal agencies use a risk assessment process when developing security plans. Within CNCS, OMB\nA- 130 was followed. NIST Security Self-Assessment Guide for Information Technology Systems, Special\nPublication (SP) 800-26, was used to develop security plans for their major systems and to conduct the\nrisk assessments. Any risks identified were evaluated by the Information System Security Office (ISSO)\nand were addressed in the cover letter to the Deputy CIO, as the certifying authority. As a result of these\nassessments, Program Officials are able to determine the security of their systems and address any\nweaknesses or vulnerabilities before they can be exploited.\n\nRecommendations\n\n        Based on findings associated with agency risk assessments, we recommend that CNCS continue\n        to conduct annual risk assessments in accordance with their well-established organizational\n        practices.\n\nSecurity Policies and Procedures\n\nConclusions and Findings\n\nThe Corporation has a very comprehensive library of policies and procedures available to their\nstaff through their intranet. For example, policies include guidelines for obtaining accounts to the\nnetwork, obtaining security awareness training, using Internet and e-mail systems, protecting and\nhandling sensitive information and responding to incidents. Subject areas are comprehensive, covering\nnetwork system and agency-wide security topics. In addition to security policies, the library includes the\nBusiness ContingencyIContinuity of Operations Plan (BCCP) for the network and a Continuity of\nOperations Plan (COOP) for each of the major systems. These systems define the roles and\nresponsibilities for applicable staff members and contractors, in order to execute the plans in the event of\nsystem failure\n\nThe current SDLC does not include methodologies to support findings from the latest risk\nassessments concerning test procedures, test plans and documented test results. Not having a\ndefined test methodology has resulted in many test items, risk-assessment findings and control test results\nnot being tracked for analysis and resolution. OMB A-130 requires that agency heads take an active role\nin ensuring that security practices are followed throughout the systems\' lifecycles. Within CNCS, the\nDeputy CIO has been an active participant in the development of the Systems Development Lifecycle\n(SDLC) used by the agency for application (system) development. To improve the test phase of the\nlifecycle, the Deputy CIO and system owners have recently collaborated to develop a process for test plan\ndevelopment and execution, including roles and responsibilities for the technical staff and end users. This\nmaterial, while not fully integrated into the SDLC document, shows good progress toward achieving full\nintegration of testing into the SDLC methodology.\n\nThe current SDLC does not contain a methodology for evaluating and integrating Commercial Off-\nthe-Self (COTS) products into CNCS\'s automated systems. OMB criteria calls for ensuring security\n\x0c                                                                                         lnde~endentAudit R e ~ o r t\n                       Corporation for National and Community Service (CNCS) FY 2003 lnformaiion Security program\n\n\npractices aEe followed throughout the lifecycle. In today\'s computing environment, many agency systems\ncontain pret-packaged products that can offer advanced capabilities without extensive customization by\nthe techniclal staff. However, while the capabilities are not "developed" by the agency, the product is\nbeing integrated into the collective architecture, thus having a major impact upon the security\nconfigurations and practices in place. Therefore, COTS products should be addressed in the agency\'s\nSDLC documentation.\n\nRecommendations\n\nBased on findings associated with security policies and procedures, we recommend that CNCS take the\nfollowing actions to resolve SDLC weaknesses.\n\n        Include test provisions in the SDLC.\n\n        Include COTS evaluation provisions in the SDLC.\n\nSystem Security Plans\n\nConclusions and Findings\n\nAt the system level, the Electronic-System for Program Agreements and National Service\nParticipants (E-SPAN) and Electronic-Grants(e-Grants) Application Security Plans do not contain\nsystem-specific rules of behavior for all individuals with access to the systems. OMB A-130\n[Appendix 111, A(3)(b)(2)(a)] requires that agencies "establish a set of rules concerning the use of and\nbehavior within the application." OMB A-130 also states that:\n\n        "Such rules shall clearly delineate responsibilities and expected behavior of all\n        individuals with access to the application. In addition, the rules shall be clear about the\n        consequences of behavior not consistent with the rules."\n\nThe effects of not having these rules can be numerous. In the case of E-SPAN and e-Grants, end users\nmay not be aware of application-specific data sensitivities or be aware of key personnel that are\nresponsible for release of grant data through the system. In addition, if there are any responsibilities that\nare shared between functional area experts and the technical staff, there may be confusion or\nmisunderstanding concerning the lines of responsibility.\n\nA summary of major application security plans is not included in the Corporation\'s Information\nManagement (IM) Strategic Plan. This is a repeat finding, also identified during the 2002 GISRA\nreport and currently documented and tracked on the agency-wide POA&M. OMB A-130 guidance\n[Appendix 111, (A)(3)(a)(2)] requires that "a summary of the security plans shall be incorporated into the\nstrategic Information Resource Management (IRM) plan required by the Paperwork Reduction Act (44\nU.S.C. Chapter 3 9 . " In addition to non-compliance with the referenced policies, the effect on the\nagency\'s security program is two-fold. First, senior agency officials will not have the strategic security\nprofile available to them, thus impacting security awareness concerning major applications at agency head\nlevel. Second, agency officials responsible for developing the strategic plan will not have system security\ninformation available to relate security issues to long-range budget and IT capital planning.\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nRecommendations\n\nBased on findings associated with security policies and procedures, we recommend that CNCS make\npolicy and procedure enhancements as follow:\n\n        Develop E-SPAN and e-Grants rules of behavior.\n\n        Include svstem security plan summaries into the IM Strategic Plan.\n\nSecurity Awareness and Training\n\nConclusions and Findings\n\nCNCS maintains a very effective security awareness program, ensuring all employees and\ncontractors (with system access) undergo annual security awareness training. OMB A-130 requires\nthat "agencies provide security awareness training for all employees (ref: 2003 FISMA Guidance, p34)."\nWithin CNCS, this program is very comprehensive and well maintained in accordance with OMB\nguidelines. The Deputy CIO and the ISSO take an active role in maintaining the security awareness of\nboth the end users and technical staff that supports the Corporation. The ISSO maintains a database of all\nuser security awareness training activity and proactively reminds users whenever their annual training is\nrequired. Corporate policies contain provisions for training prior to obtaining accounts and gaining\naccess to the network, applications and sensitive information, as well as provisions for when accounts will\nbe inactivated and retired. Training material is conveniently available to the users in multiple ways, such\nas on-line training or classroom instruction. Additionally, documentation is available to users on-line on\nhow to report security incidents and what their responsibilities are in those instances. Users are also\nprovided with information from the ISSO and the Office of Information Technology (OIT) Help Desk\nregarding current security concerns, such as Federal Computer Incident Response Center (FedCIRC)\nvirus alerts.\n\nRecommendations\n\n        Based on findings associated with the agency\'s security awareness training program, we\n        recommend that CNCS continue to capitalize on current security awareness training practices and\n        procedures.\n\nAnnual Testing and Evaluation\n\nConclusions and Findings\n\nAll major systems reviewed during the assessment had recent C&A packages that contained risk\nassessments and security controls testing results. FISMA and OMB guidance requires that all agency\nsystems be reviewed at least annually, and use the NIST SP 800-26 or an agency-developed methodology\nthat includes all NIST SP 800-26 requirements. As required, CNCS conducts testing and evaluation in\naccordance with the provisions of the NIST self-assessment guide (SP 800-26) and uses the results as a\nbasis for security plan development.\n\nCNCS performs annual C&As, in lieu of annual testing and evaluation; however, there is no\ndocumented policy to ensure compliance with the annual requirement. OMB policy requires that\nsystems undergo complete C&A and security control testing every three years, or whenever a major\nsystem change occurs. OMB requires that all major systems undergo annual testing and evaluation to\nensure that system environments remain secure. The Corporation supports both requirements by\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nperforming complete C&As for all major systems. No other risk assessments are performed by agency\nstaff or cantractors. The annual independent FISMA audit is the only exception. The practice of\nperforming annual C&As to satisfy the requirement for annual risk assessment, testing and evaluation is\nnot a documented Corporation policy. While this practice ensures CNCS compliance with OMB and\nNIST policy, the use of this undocumented procedure could result in failure to perform annual testing if\nsystem owners are not aware of this approach.\n\nThe CNCS Corporation performs scans of their network to identify and mitigate possible\nvulnerabilities.\n\nInternal Scanning conducted by CNCS\nThe OIT staff utilizes specialized scanning software to perform detailed vulnerability scans of their\narchitecture to identify such issues such as patch update requirements, open ports and services that are\nrunning on various servers, routers and workstations. These scans are executed routinely, but are also run\nafter a change has been made to the architecture to ensure the configuration is secure and meets current\nCM requirements maintained for the network. OIT\'s methodology includes performing system changes\nand updates on a test platform and re-running applicable scans to validate changes, prior to deployment in\nthe production environment.\n\nInternal Scanning conducted by outside consultant\nThe OIG\'s independent FISMA evaluation included internal scanning. On August 6, 2003, an internal\nvulnerability assessment was conducted using the Security Administrator\'s Integrated Network Tool\n(SAINTTM).SAINTTM       analyzes the network signature of a given host, assesses the signature for probable\nvulnerabilities, ranks the vulnerabilities in terms of severity, reports the vulnerabilities and suggests a\nremedial course of action. Carson Associates worked with OIT to identify what hosts to scan. A full\nSAINTTMscan was conducted by attaching a laptop with the SAINTTMsoftware installed on it to the\nCNCS network. Scan targets included central file servers and printers, a sample of service centers and\nstate offices and the Corporation\'s Demilitarized Zone (DMZ) servers. Upon completion of the scans, the\nlaptop was removed from the CNCS network and taken to the Carson Associates office in Bethesda, MD.\nThere the data was analyzed and the results compiled for delivery to CNCS. All data and products were\nthen delivered to CNCS and the data removed from the Carson Associates laptop. The detailed results\nfrom these scans were provided to CNCS with the results grouped in two views:\n\n        Service Category (Critical Problems, Areas of Concern, Potential Problems, and\n        Services that are not exploitable)\n\n        Class (Web, Mail, File Transfer, Logidshell, Print Services, Remote Procedure Call (RPC),\n        Domain Name Service (DNS), Databases, Networking/Simple Network Mail Protocol (SNMP),\n        Windows Operating System (OS), Passwords, and Other)\n\nExternal scanning conducted by outside consultant\nCarson Associates conducted external scans during the FISMA audit process. On August 20, 2003, an\nexternal assessment was performed using a variety of tools, including SAINTTM,nslookup, whois, xprobe,\nnmap and nmblookup. In addition, several attempts were made to access specific ports and services\nidentified by the SAINTTMscan. The external assessment was conducted "blind (i.e., information from\nthe previous internal assessment and other information previously learned about the CNCS network was\nnot used during the external assessment). The external assessment was conducted using several steps:\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\n       Identify CNCS IP Space - The first step was to identify the Internet Protocol (IP) space "owned\n       by CNCS. A combination of nslookup and the ARIN whois service were used to identify the\n       target IP space.\n\n       SAINTTMScan - The next step was to perform a SAINTTMscan on the identified IP space.\n       Attachment C contains the details from the SAINTTM\n                                                        scan.\n\n       Nmap and xprobe Scans - After the SAINTTMscan, additional probes were performed using nmap\n       and xprobe. The xprobe scans were useful in identifying possible operating system types for the\n       seven hosts found by the SAINTTM scan.\n\n       Outlook Web Access (OWA) Tests - Information gathered from the CNCS web site and the\n       previous tests was used to gather possible OWA account names. Several attempts were made to\n       try and access CNCS mailboxes.\n\n       Port and Service Tests - Information gathered by the different scans was used to try and connect\n       to various ports and use various services.\n\nUpon completion of the scans, the data was analyzed and the results compiled for delivery to CNCS. The\nresults of the analysis were provided to CNCS for their analysis and appropriate action.\n\nRecommendations\n\nBased on findings associated with annual testing and evaluation, we recommend that CNCS take action as\nfollows:\n\n        Document the procedure for conducting annual tests and evaluation in a written policv.\n\n        Review the results of the internal and external penetration tests conducted by Carson Associates\n        during this evaluation, and resolve/rnitigate vulnerabilities, as appropriate, to meet the security\n        needs of the Corporation and its external customers.\n\nCorrective Action Process\n\nConclusions and Findings\n\nCNCS maintains a single agency-wide POA&M and reports the status of actions on this POA&M to\nOMB on a quarterly basis. The Deputy CIO maintains the agency-wide POA&M and tracks summary-\nlevel IT security weaknesses and security issues having significant financial resource implications. For\nexample, findings concerning deficiencies in system-level documentation are aggregated and tracked as a\nsingle POA&M item, rather than stating distinct security weaknesses. The aggregate POA&M complies\nwith OMB policy for agency head tracking and is used by the OIG during annual financial audits to\nevaluate items that may affect compliance with financial guidelines. However, greater granularity below\nsummary level is needed for tracking IT security weaknesses identified through the various audit,\nassessment and testing processes. Implementation of a comprehensive tracking system, having both\nsummary and system-level detail, would ensure multi-dimensional tracking by system owners, agency\nleadership and oversight bodies such as the OIG and auditors. Tracking should ensure a total integrated\npicture of IT security weaknesses, including both agency-wide and system-wide POA&Ms.\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nAgency POA&Ms are not used as the authoritative management tool for tracking IT security\nweaknesses throughout the Corporation. The 2003 FISMA Guidance (page 21) states that agency and\nsystem-level POA&Ms "should be the authoritative agency-wide management tool" for tracking\ncorrective action items associated with security deficiencies. The Deputy CIO does maintain a tracking\ndatabase for action items related to OIT activities. These action items are also tracked in various\napplications, such as the OIT Help Desk database, network action items, application "fix" lists and\ndeployment lists. However, many of the IT security weaknesses and recommendations shown in risk\nassessments, GISRAIFISMA assessments and financial audits are not maintained in these tracking\nsystems. Additionally, these tracking mechanisms are not used to track or produce system-level\nPOA&Ms. The effect is that CNCS does maintain tracking capabilities to manage various types of action\nitems (including many that are considered IT security weaknesses), but does not use POA&Ms as the\nauthoritative tool as required by OMB. As a result, IT security weaknesses are not being tracked in a\ncoordinated way by the various agency process owners and stakeholders. Utilizing the POA&M process\nas the predominant overarching tracking method would ensure FISMA compliance. It would also\nfacilitate CNCS staff involvement in IT security weakness mitigation/resolution activities.\n\nMost IT security weaknesses and recommendations from the 2002 GISRA assessment, recent risk\nassessments and control tests are not tracked in the agency-wide POA&M or in system-level\nPOA&Ms. For example, the e-Grants C&A cover letter from the ISSO to the certifying authority states\nthat "the overall risk exposure will remain low upon resolution and implementation of the\nrecommendations listed in the document." However, prior audit findings are not listed in a POA&M or\ntracked in a manner that could be verified for status or resolution. NIST SP 800-26 states that the security\ncertification package should contain the security plan, the security test and evaluation report and a\nPOA&M list. FISMA guidance (August 6, 2003) also states that "an agency should develop a separate\nPOA&M for every program and system for which weaknesses were identified in the FISMA reports, as\nwell as those discovered during other reviews including General Accounting Office (GAO) audits,\nfinancial system audits, and critical infrastructure vulnerability assessments." Findings and\nrecommendations are not tracked, managed, addressed or reported as required by FISMA. The possible\nimpact is that IT security weaknesses and vulnerabilities may be overlooked or inadequately addressed\nand mitigated, resulting in unacceptable risk to the agency and related systems.\n\nCNCS functional leaders and the OIG are not involved in the POA&M resolution process.\nCurrently, the Deputy CIO acts on behalf of the agency head, CIO and functional area leaders to support\nthe tracking of IT security weaknesses. The Deputy CIO also acts on behalf of the agency in the role of\nsystem owner for the Network, E-SPAN and e-Grants systems. Functional leaders are only involved in\nsystem-related activities to coordinate with the Deputy CIO and OIT staff to resolve issues that relate to\nthe functionality and operations of their systems. The OIG is involved with the Corporation\'s IT\nactivities during the annual financial audit process, independent FISMA assessment process and during\nmajor system desigdre-design processes. As a result of the GISRA results from previous years, the\nAssistant Inspector General for Audit stated that "the OIG has taken steps to determine areas that should\nbe included in the OIG\'s audit plans. For example, the OIG has completed additional network assessment\ntesting and reported the results to Corporation Management in audit report 02-23". The OIG also\nmaintains a tracking system to track OIG audit items. Recent FISMA guidance (August 6, 2003) has\nexpanded the required role of the OIG and now requires "IGs to assess against specific criteria, whether\nthe agency has developed, implemented, and manages an agency-wide POA&M process." Specifically,\nOMB Guidance (question a.4), asks whether "agency IGs are an integral part of the POA&M process and\nhave access to agency POA&Ms." Notwithstanding OIG involvement during financial audits, this new\nguidance now requires OIGs to become more of an interactive participant in the POA&M process and to\nassess the effectiveness of the POA&M process in managing IT security weaknesses. In the current\nenvironment, the OIG and corporate system owners do not interact collaboratively within the framework\nof the agency security program.\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nThus, there is a need for functional area leaders and the OIG to take a more proactive role in tracking and\nreporting PIOA&M items. Currently the Network, E-SPAN and eGrants are at the core of agency-owned\nsystems and are under the central responsibility of the Deputy CIO. While the agency is of modest size\n(approximately 600 people) and the relatively small number of major systems and general support\nsystems (less than six) may not require the separation of IT management duties, functional area leaders\nand the OIG still share responsibility for ensuring the protection of the systems and data upon which the\nagency depends to accomplish its mission.\n\nRecommendations\n\nBased on findings associated with the corrective action process, recommend that CNCS expand upon the\ncurrent single agency-wide POA&M to incorporate additional IT security improvements as follows:\n\n        Track IT security weaknesses and recommendations in single, integrated process consisting of\n        both agencv-wide and system-level POA&Ms.\n\n        Implement POA&Ms as the authoritative management tool for tracking IT security weaknesses.\n\n        Increase CNCS functional leader and OIG involvement in the POA&M process.\n\nSecurity Incident Reporting\n\nConclusions and Findings\n\nCNCS has developed and maintains an effective security incident reporting process that follows\nFedCIRC policies. OMB A-130 requires that all agencies develop an incident response capability\nfor their major applications and general support systems (2003 FISMA, p35). CNCS maintains a\ndetailed policy available to all users through the CNCS intranet, providing thorough guidance concerning\nthe Serious Incident Report (SIR) procedures and responsibilities.\n\nThe Deputy CIO and ISSO take an active role in the SIR process, particularly for IT-related incident\nreporting. The Deputy CIO is very knowledgeable regarding what types of incidents are considered\n"reportable" and the procedures to be used to invoke the reporting process. In the past year there have\nbeen no incidents at CNCS headquarters, its Service Centers or State Offices that have required an SIR\nreport to the FedCIRC.\n\nPhysical security incident reporting is the responsibility of Administrative Services, and are notified\nimmediately if a physical security incident occurs. If the incident takes place within the headquarters\nfacility, Administrative Services contacts the Federal Protective Services (FPS), who, in turn, responds to\nthe incident. The Washington Metropolitan Police Department (MPD) is contacted for response to\nincidents outside the facility.\n\nRecommendations\n\n         Baqed on findings associated with the security incident report (SIR) process, we recommend that\n         CNPS continue to manage serious incident reporting as outlined in established agency policies\n         and procedures.\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nContinuity of Operations\n\nConclusions and Findings\n\nAll of the major applications reviewed during this assessment have undergone testing of their\nContinuity of Operations Plans (COOP) as part of the C&A processes. The NIST Contingency\nPlanning Guide for Information Technology Systems (SP 800-34), states that contingency plans should\ncontain detailed records of system configurations in order to enhance system recovery capabilities. The\n2002 GISRA Assessment Report stated that the e-Grants system COOP had been developed, but could\nnot be tested due to the lack of hardware and software in the Disaster Recovery Site (DRS) to recover the\nDMZ. These resources were acquired and installed at the DRS, and the e-Grants COOP was tested in\nSeptember 2002. All testing was successfully completed by October 2002. It was noted by the Deputy\nCIO that a portion of the e-Grants system had not been available for testing by the grantee, but will be\navailable and tested in September 2003. The CNCS network has a current and tested BCCP that includes\nboth COOP details to recover the technical environment and applications and contingencies to counter\nvarious failure scenarios. For example, a contingency exists for a Service Center losing connection with\nthe CNCS network. In that instance, the center\'s capability is transitioned to an alternate site until the\nconnection can be restored. In another example, if the dedicated connection to the Momentum system is\ninterrupted, an alternate "fail-over" site exists to ensure continued operation.\n\nCNCS maintains a variety of mechanisms to ensure documented agreements between CNCS and\noutside agencies and contractors that maintain or own systems critical to CNCS operations. NIST\nSP 800-34 states that "...memorandums of understanding (MOU), memorandum of agreement (MOA), or\na Service Level Agreement (SLA) for an alternate site should be developed specific to the organization\'s\nneeds and the partner organization\'s capabilities" (SP800-34, p22). MOUs represent partnerships\nbetween organizations to help them achieve mutual goals. CNCS has recently reviewed the Statement on\nAuditing Standards No. 70 (SAS 70) reports on the Department of Interior\'s National Business Center\n(NBC) in Reston, VA. Additionally, a technical training and assistance agreement exists between the\nCNCS Grants office and the Aguirre Hosting Corporation for the Web-based Reporting System (WBRS).\nThe CNCS also maintains active contracts and MOUs with contractor-provided facilities for both the\npublic web site and the DRS. Having these documented and agreed-upon policies, requirements, roles and\nresponsibilities between the Corporation and critical "partners" in place further enhances the security and\nsustainment of critical operations and resources.\n\nRecommendations\n\n        Based on findings associated with CNCS management of continuity of operations for IT systems,\n        we recommend that CNCS continue to follow established procedures consistent with periodic\n        review and update as dictated by the dynamic nature of the threat environment.\n\nConfiguration Management\n\nConclusions and Findings\n\nConfiguration Management (CM) of CNCS systems and assets is performed in a very effective\nmanner. All hardware is maintained by an inventory tracking system managed by the OIT. This\ninventory is reviewed at least once annually as required by FISM, Section 305. Software licensing and\ninstallations are managed by the OIT Client Support Group, with oversight by the Deputy CIO.\nAutomation tools are used by the OIT to maintain system-level configuration and desktop deployments.\nAdditionally, application configurations are controlled through Configuration Control Boards (CCBs),\nwith budget decisions approved by the Chief Financial Officer (CFO). The OIT also utilizes Computer-\n\x0c                                                                                          Independent Audit Report\n                        Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nAided Software Engineering (CASE) tools from Oracle to design, develop and maintain security settings\nand database roles/permissions within application databases.\n\nCNCS ha$ no single source document for maintaining the Corporation\'s inventory of major\nsystems and their inter-connections with other systems. FISMA guidance requires "the head of each\nagency to develop and maintain an inventory of major information systems (including national security\nsystems) operated by or under the control of the agency." The Corporation identifies their major systems\nin a variety of methods, such as Exhibit 300s, Security Plans and the IM Strategic Plan. Although the\nCNCS references their systems in these various documents, the current condition has resulted in different\nlists reflecting inconsistencies in what systems exist and which ones are major systems. Establishing a\nsingle auth~ritativesource listing of the Corporation\'s systems could rectify this problem. The official\nlisting should also indicate the criteria used for categorizing the systems. The resulting list should then be\nused as the official inventory of CNCS major systems, along with their interconnections with other\nsystems.\n\nRecommendations\n\nBased on findings associated with configuration management, we recommend that CNCS review the\nfollowing recommendation and take actions as necessary to enhance the agency\'s security program.\n\n        Continue to conform to the proven configuration management procedures that are currently in\n        place.\n\n        Develop a single-source inventory of major systems.\n\x0c                                                                                         Independent Audit Report\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nConsolidated List of Recommendations\nA recapitulation of all corrective action recommendations contained in this report follows.\n\n        Include test provisions in the SDLC.\n\n        Include COTS evaluation provisions in the SDLC.\n\n        Develop E-SPAN and e-Grants rules of behavior.\n\n        Include system security plan summaries into the IM Strategic Plan.\n\n        Document the procedure for conducting annual tests and evaluation in a written policy.\n\n        Review the results of the internal and external penetration tests conducted bv Carson Associates\n        during this evaluation, and resolvelmitigate vulnerabilities, as appropriate, to meet the security\n        needs of the Corporation and its external customers.\n\n        Track IT security weaknesses and recommendations in single integrated process consisting of\n        both agency-wide and system-level POA&Ms.\n\n        Implement POA&Ms as the authoritative management tool for tracking IT security weaknesses.\n\n        Increase CNCS functional leader and OIG involvement in the POA&M process.\n\n        Develop a single-source inventory of major systems.\n\x0c                                                                                        Independent Audit Report\n                      Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nResponsle to Agency Comments\n\nAt an exit conference held on August 21, 2003, CNCS officials generally agreed with the findings. The\ncomments provided by the CNCS and OIG officials on August 26, 2003, have been incorporated in the\nreport w h e e appropriate.\n\nUpon review of the draft report, CNCS officials provided a formal response to the report and\nrecommendations contained therein. This response is provided at Appendix C.\n\x0c                                                                                                      Appendix A\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nOBJECTIVE, SCOPE AND METHODOLOGY\n\nThe overall objective of this independent audit was to assist the OIG in meeting its FISMA obligation for\nindependent assessment of CNCS\'s information security program in accordance with OMB fiscal year\n2003 reporting guidelines. In support of this objective, the audit team conducted a high-level, qualitative\nreview of the CNCS information security program, specifically evaluating the agency\'s degree of\ncompliance with applicable criteria for a security program, and evaluating the effectiveness of automated\nand manual security controls for the four mission-essential systems of CNCS. Systems examined were:\n\n        Momentum\n        E-Grants\n        E-SPAN\n        Corporation Network\n\nThe following describes systems and sites that were not included in the scope of this audit:\n\n        This audit also did not include analysis of the Web-based Reporting System (WBRS). This\n        system is a CNCS major application, but was not included by the OIG as a system to be reviewed.\n        The OIG LAN was also excluded from the scope of this study.\n        Additionally, this study did not include site surveys of Service Centers or contractor-operated\n        facilities.\n\nThe scope of work was organized into three tasks:\n\n        Background Review\n        Audit Fieldwork\n        Audit Reporting\n\nConsistent with these tasks, the methodology involved data collection (e.g., primarily from interviews and\nrecords), data analysis, security controls testing and determination of findings and recommendations.\n\nInterviews entailed administration of structured question sets [e.g., derived from NIST, the Federal\nInformation Systems Controls Audit Manual (FISCAM) and OMB security criteria] to the following\nCNCS staff:\n\n        Deputy CIO (Representing the Agency Head, CIO and Program Officials)\n        Selected OIG staff members\n        Selected system users\n\nThe document review process included agency:\n\n        Plans and policies\n        Reports\n        Network diagrams\n        System certifications and accreditations\n\nAn internal penetration test was conducted to evaluate security aspects of the agency\'s servers, printer,\nworkstations and network infrastructure from inside the CNCS firewall. The test was performed from\ninside the CNCS security perimeter in close coordination with the Deputy CIO and Network\n\x0c                                                                                                      Appendix A\n                       Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nAdministrator. Network vulnerability scans were performed using the System Administrator\'s Integrated\nNetwork T ~ o(SAINTTM).\n               l\n\nAn external penetration test was conducted to evaluate security aspects of the agency\'s firewall. The test\nwas performed from outside the CNCS security perimeter (e.g., from the Internet). Network vulnerability\nscans were performed using SAINTTM.\n\nAll analyses were performed in accordance with guidance from the following:\n\n        GAO, Government Auditing Standards, 2003 Revision\n        GAO, Federal Information System Controls Audit Manual, Volume I : Financial Statement\n        Audits, January 1999\n        National Institute of Standards and Technology Special Publication 800-26, SelfAssessment\n        Guidefor Information Technology Systems, August 2001\n        OMB reporting instructions\n        Information Systems Audit & Control Association standards\n        CNCS OIG Audit Guidance\n\nThe evaluation was conducted on site at CNCS headquarters, 1201 New York Avenue, NW., Washington,\nDC\' 20525, between July 21 and August 27, 2003. Evaluators were Karen Frey, Randy Laudermilk, Jane\nLaroussi, Anthony Van Dyck and Diane Reilly from Richard S. Carson & Associates, Inc., 4720\nMontgomery Lane, Suite 800, Bethesda, MD 20814.\n\x0c                                                                                            Appendix B\n             Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\n\nEXECUTIVE SUMMARY FOR MANAGEMENT AND BUDGET (OMB)\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                        CORPORATION FOR NATIONAL AND\n                             COMMUNITY SERVICE\n\n\n\n                                   Executive Summary for\n                         Office of Management and Budget (OMB)\n                                        Pertaining to\n                                 Office of Inspector General\n                 Review of Corporation for National a n d Community Service\n                     Implementation of the Federal Information Security\n                                      Management Act\n                                    For Fiscal Year 2003\n\n                                    OIG Audit Number 03-26\n                                        August 21,2003\n\n\n\n\n                                           Prepared by:\n\n                             Richard S. Carson & Associates, Inc.\n                              4720 Montgomery Lane, Suite 800\n                                 Bethesda, MD 20814-3444\n\n\n\n\nThis report was issued to Corporation management on September 18, 2003. Under the laws and\nregulations governing audit follow up, the Corporation must make final management decisions on the\nreport\'s findings and recommendations not later than March 18, 2004, and complete its corrective\nactions by September 18,2004. Consequently, the report findings do not necessarily represent the final\nresolution of the issues presented.\n\x0cRichard S. Carson & Associates, Inc. (Carson Associates), on behalf of the Office of Inspector\nGeneral (OIG) of the Corporation for National and Community Service (CNCS), completed an\nindependent audit of the Corporation\'s implementation of the Federal Information Security\nManagement Act (FISMA) for Fiscal Year (FY) 2003. The Independent Audit Report provides\nspecific findings and conclusions and, when applicable, identifies problem areas and makes\nrecommendations for resolution. This Executive Summary for the Office of Management and\nBudget (OMB), reports the results of this CNCS independent audit.\n\nOn December 17, 2002, President George W. Bush signed into law the E-Government Act of\n2002 (Pub. L. No. 107-347), which includes Title 111, the Federal Information Security\nManagement Act of 2002 (FISMA). The FISMA permanently reauthorized the framework laid\nout in the Government Information Security Reform Act of 2000 (GISRA), which expired in\nNovember 2002. The FISMA outlines the information security management requirements for\nagencies, including the requirement for annual review and independent assessment by agency\ninspectors general. In addition, FISMA includes new provisions aimed at further strengthening\nthe security of the Federal government\'s information and information systems, such as the\ndevelopment of minimum standards for agency systems. The annual assessments provide\nagancies with the information needed to determine the effectiveness of overall security programs,\nand to develop strategies and best practices for improving information security.\n\nThe independent audit comprises four elements: evaluation of CNCS\'s information security\nprogram, evaluation of CNCS progress towards correcting weaknesses addressed within the 2002\nPlan of Action and Milestones (POA&Ms), review of the self-assessments and verification and\ntesting of information security controls for four representative information systems. The results\nof the independent audit address the problems identified during the evaluation. The major\nfindings from the report are summarized in the Results in Brief.\n\n\n\nThe objectives of the independent audit of CNCS\'s information security program were to:\n\n        Test the effectiveness of information security policies, procedures and practices of a\n        representative subset of the agency\'s information systems;\n        Assess compliance with FISMA and related information security policies, procedures,\n        standards and guidelines; and\n        Conduct follow-up assessment of agency progress in correcting weaknesses identified in\n        prior GISRA/FISMA evaluations, including those weaknesses listed in the Fiscal Year\n        2002 POA&M.\n\n\n\nCNCS has taken a number of steps during the past year to enhance their security program and\naddress issues identified in the 2002 GISRA report. These enhancements are as follows:\n\n        Hardware and software have been acquired and installed to provide continuity of\n        operations for the e-Grants system.\n\x0c      The Continuity of Operations Plan has been successfully tested for e-Grants, with full\n      capability anticipated by the end of this fiscal year.\n\n       Certification and Accreditations were completed for all major applications during this\n       reporting period.\n\n       Improvements have been made to the test planning and execution process. Efforts are\n       ongoing to integrate these improvements into the formal Systems Development Lifecycle\n       methodology.\n\n       CNCS maintains a very effective security awareness program; all employees and\n       contractors, requiring system access, undergo annual security awareness training.\n\n       Configuration Management policies include extensive work in the tracking of hardware\n       inventory and software licensing, as well as the use of automation tools to track system-\n       level configurations for desktop deployment and configuration control.\n\nNotwithstanding the improvements stated above, some areas showed little progress toward\nremediation and/or did not adhere to OMB A-130 guidance. These areas were identified as\nproblems.\n\n       The lack of system-level rules of behavior for the Electronic-System for Program\n       Agreements and National Service Participants (E-SPAN), and e-Grants was identified as\n       a weakness in last year\'s GISRA assessment, but have not been documented or addressed\n       to date. There are a variety of policies and procedures for the agency that are used by\n       these system users and many cover "rules" that affect the applicable systems; however,\n       program officials have not defined system-specific rules as required by OMB A-130.\n\n       The 2002 GISRA report stated that a summary of major system security plans was not\n       included in the Corporation\'s Information Management Strategic Plan. This item is\n       identified in the agency-wide POA&M but, to date, has not been included in the\n       Information Management Strategic Plan. However, during an August 2003 interview\n       with the Corporation\'s Deputy Chief Information Officer, (currently the position of Chief\n       Information Officer is vacant), it was found that this weakness is now being addressed\n       and should be resolved upon publication of the revised plan this year.\n\n       The Corporation has a stated policy to perform complete Certification and Accreditation\n       processes each year (versus every 3 years or whenever a major system change occurs) for\n       all major systems, rather than performing annual tests and evaluations as defined in OMB\n       A-130. However, there is no documented policy within CNCS stating annual System\n       Test and Evaluation and risk assessment processes will be accomplished as a part of\n       Certification and Accreditation.\n\n       The Corporation\'s corrective action process needs to be improved to ensure that all\n       Information Technology (IT) security weaknesses are identified on system-level\n       POA&Ms and that the program officials and Inspector General track and support\n       resolution of these actions in a pro-active, collaborative way. The Corporation\'s Deputy\n       Chief Information Officer and Office of Inspector General maintain a variety of tracking\n       systems and maintain their own processes. However, the POA&M process, as described\n\x0c       by OMB A-130 and recent FISMA reporting Guidance (August 6, 2003), is not the\n       Corporation\'s authoritative management tool for tracking IT security weaknesses.\n\n       The Corporation identifies their major systems in a variety of methods, such as Exhibit\n       300s, Security Plans and the Information Management Strategic Plan. However, there is\n       no single source for maintaining the Corporation\'s inventory of major systems and their\n       inter-connections with other systems. The resulting condition is a lack of reconciliation\n       between documents and reporting methods concerning the official list of major systems\n       within CNCS.\n\n\n\nThe Independent Audit Report includes 10 recommendations to strengthen the CNCS security\nprogram.\n\x0cA. OVERVIEW OF FISMA IT SECURITY REVIEWS\n\n\n\n\n                                                                                           1                    I   FY03 Contractor\n                                                                         FY03 Programs     I   FY03 Systems     loperations or Facilities\n                                                                                I          I         I          I            I\n\n ureau Name\n NCS\n\n                                                                    I           I          I         I          I            I\n\n.gency Total                                                               3         3          5         3           2            2\n. For operations and assets under their control, have agency\nrogram officials and the agency CIO used appropriate methods\n!.g., audits or inspections, agreed upon IT security requirements\n)r contractor provided services or services provided by other\ngencies) to ensure that contractor provided services or services\nrovided by another agency for their program and systems are\ndequately secure and meet the requirements of FISMA, OMB\nolicy and NlST guidelines, national security policy, and agency\nolicy?                                                                       Yes                                Yes\n                                                                    CNCS used several methods. CNCS has recently reviewed the\n                                                                    Statement on Auditing Standards (SAS) 70 report on the Department\n                                                                    of Interior\'s National Business Center in Reston, VA. CNCS also\n                                                                    maintains SAS 70 reports on the Department of Health and Human\n                                                                    Services and the National Finance Center systems to address\n                                                                    interconnections between their respective systems. Additionally, a\n                                                                    technical training and assistance agreement exists between the\n                                                                    CNCS Grants office and the Aguirre Hosting Corporation for the Web\n                                                                    based Reporting System (WBRS), as well as contracts with various\n                                                                    contractors to ensure compliance with security requirements. The\n                                                                    effect on CNCS of having these mechanisms in place is a\n                                                                    documented set of policies, requirements, roles and responsibilities\n                                                                    between the Corporation and critical "partners" to further enhance the\n                                                                    security and sustainment of critical operations and resources.\n\n                                                                        CNCS also used the self-assessment guide as outlined in NlST SP\n                                                                        800-26, Security Self-AssessmentGuide for lnformation Technology\n                                                                        Systems, in 2002 and 2003 during the development of Security\n                                                                        Plans.\n\n                                                                        During 2003, CNCS followed OMB A-130 guidelines, by using NIST\'s\n                                                                        Security Self-AssessmentGuide for Information Technology Systems\n                                                                        (SF 800-26) in their security plan review of the Momentum System,\n                                                                        maintained by the National Business Center. Additionally, CNCS\n                                                                        NIST\'s Risk Management Guide for lnformation Technology Systems\n                                                                        (SP 800-30) in the performance of a risk assessment for Momentum,\n:. If yes, what methods are used? If no, please explain why.            during the re-certification and accreditation of Momentum.\nI. Did the agency use the NET self-assessment guide to\n:onduct its reviews?\nr. If the agency did not use the NlST self-assessment guide and\nnstead used an agency-developed methodology, please confirm\nhat all elements of the NlST guide were addressed in the agency\nnethodoloav.\n\x0c                                                                    lThe Corporation describes its systems within its Information\n                                                                     ~ a n a ~ e m eStrategic\n                                                                                    nt        Plan to document all systems, to include\n                                                                     major applications, general support systems, and "other" systems not\n                                                                     deemed vital to CNCS operations. CNCS also maintains Exhibit\n                                                                     300s and C&As for systems deemed major applications to the critical\n                                                                     operations of CNCS. The Deputy Chief Information Officer has\nf. Provide a brief update o n the agency\'s work to develop an        deemed this method of "inventory" appropriate since the number of\n             major IT systems.                                       major applications is small.                                              -\nCNCS programs include Senior Corps, AmeriCorps and Learn and Serve America. CNCS currently uses,\noperates or owns three major applications and one general support system. The Office of Inspector\nGeneral operates its own general support system. The systems list follows.\n\nMajor Applications:\n       Momentum [operated by the Department of Interior\'s National Business Center].\n       Electronic-System for Program Agreements and National Service Participants which also\n       includes the e-Grants module.\n        Web-based Reporting System, (WBRS), maintained by the Aguirre Hosting Corporation.\n\nGeneral Support Systems:\n       CNCS Network.\n       CNCS OIG Local Area Network.\n\n\n\n\n                                                                            FY03 Material Weaknesses\n                                                                      Total Number                                                 POA&Ms\n                                                            Total     Repeated from         Identify and Describe Each Material   developed?\nBureau Name                                                Number         FY02                           Weakness                    Y/N\n\n\n\n\nAgency Total                                                  0             0\n\nNo material weaknesses were identified for CNCS during the course of this assessment.\n\n\n\n\nI\nAgency program officials develop, implement, and manage POA&Ms for every system\nthat they own and operate (systems that support their programs) that has an IT\nsecurity weakness.\n                                                                                        I                           I      NO   (see note)         I\nAgency program officials report to the CIO on a regular basis (at least quarterly) on           Yes (see note)\ntheir remediation progress.\nAgency CIO develops, implements, and manages POA&Ms for every system that they                  Yes (see note)\nown and operate (systems that support their programs) that has an IT security\nweakness.\nThe agency CIO centrally tracks and maintains all POA&M activities on at least a                Yes (see note)\nquarterly basis.\nThe POA&M is the authoritative agency and IG management tool to identify and                                               No (see note)\nmonitor agency actions for correcting information and IT security weaknesses.\n\n                                                                                                                                    5\n\x0c System-level pOA&Ms are tied directly to the system budget request through the IT                     No (see note)\n business case as required in OMB budget guidance (Circular A-1 1) to tie the\njustifcation for IT security funds to the budget process.\n Agency IGs aie an integral part of the POA&M process and have access to agency       Yes (see note)\n POA&Ms.\n The agency\'s POA&M process represents a prioritization of agency IT security                          No (see note)\n weaknesses that ensures that significant IT security weaknesses are addressed in a\n timely manneq and receive, where necessary, appropriate resources.\n\n\nThere is a single agency POA&M that is managed by the Deputy Chief Information Officer, acting as the\nProgram Official for all systems. There are other mechanisms throughout CNCS that track various types\nof action items related to agency systems.\n\nThe Deputy Chief Information Officer acts as the Program Official for all CNCS systems. He is an\nintegral part of all phases of the lifecycle process, including remediation of POA&M items.\n\nA single POA&M is developed and managed by the Deputy Chief Information Officer that includes an\naggregate of IT security weaknesses for all major applications.\n\nThe Deputy Chief Information Officer maintains the agency-wide POA&M and reports the status on a\nquarterly basis. Other tracking mechanisms are currently in place to track action items.\n\nCurrently, there is a single agency-wide POA&M. There are no "system-level" POA&Ms identified by\nthe Corporation\'s Exhibit 300 identification to tie to business cases.\n\n The agency Office of Inspector General is involved in the POA&M process in two critical areas. First, it\n reviews POA&M items during financial audits to ensure compliance with financial regulations. Second,\n it provides an oversight role to ensure that FISMA independent assessments are conducted on a yearly\n basis. Additionally, the Office of Inspector General is involved during system design and re-design\n phases to offer input into "auditable issues" to the functional and technical members of the design team.\n\n The agency-wide POA&M contains a list of significant IT security weaknesses and represents a\n prioritization of those items. However, there are no system-level POA&Ms maintained at this time to\n ensure tracking of system-specific IT security weaknesses.\n\n\n B. RESPONSIBILITIES OF AGENCY HEAD\n\n For the purposes of this report, the CNCS agency head is the Chief Financial Officer.\n\x0ca. Has the agency fully identified its national critical operations and assets?            Yes   */   No\nb. Has the agency fully identified the interdependencies and interrelationships of those         J\nnationally critical operations and assets?                                                 Yes        No\nc. Has the agency fully identified its mission critical operations and assets?             Yes        No\nd. Has the agency fully identified the interdependencies and interrelationships of those         4\nmission critical operations and assets?\n.                                                                                          Yes        No\n\x0c                                                                                                The agency maintains the detailed\n                                                                                                description of agency systems, their\n                                                                                                support to critical operations and\n                                                                                                interdependencies in the IM Strategic\n                                                                                                Plan. This plan is being updated during\n                                                                                                2003 to describe the methodology for\n                                                                                                identifying major applications and for\n                                                                                                enhancing the description of\n                                                                                                 interdependencies and\ne. If yes, despribe the steps the agency has taken as a result of the review.                  linterrelationships.\nf. If no. olease exolain whv.                                                                     N/A\n\n\n\n\n                                                                                Guidelines to provide OIT and end users with the\n                                                                                procedures for reporting incidents. This document was\n                                                                                updated in July 2002. All users will notify the Deputy\n                                                                                CIO and/or the ISSO immediately when an incident\n                                                                                occurs. The Deputy CIO or Information Systems\n                                                                                Security Officer then determines the next course of\n                                                                                action, whether that includes notifying law enforcement\n                                                                                and/or FedCIRC. The Deputy CIO and ISSO are directly\n                                                                                involved in the process to ensure all procedures are\n                                                                                followed according to CNCS and FedCIRC policy.\n                                                                                Physical security incidents are reported to CNCS\n . Identify and describe the procedures for external reporting to law           Administrative Services, which in turn, notifies the\n !nforcement authorities and\'to the Federal Computer lncideit Response          Washington D.C. Police Department (WPD) or Federal\n :enter (FedCIRC).                                                              Protective Service as required.\n I. Total number of agency components or bureaus.                                                           1\n :.Number of agency components with incident handling and response              1 - All agency incident handling and response capability\n :apability.                                                                    is supported through CNCS OIT.\n I. Number of agency components that report to FedCIRC.                                                     1\n !. Does the agency and its major components share incident information\n vith FedClRC in a timely manner consistent with FedClRC and OMB                I\n . What is the required average time to report to the agency and FedClRC\n ollowing an incident?                                                                                      3 Hours\n                                                                                CNCS OIT develops and implements all patch policies\n                                                                                within the agency. Internal intrusion detection software\n                                                                                is run to detect patch level. When a patch is required, il\n                                                                                is first installed on a test platform and verified. The\n                                                                                patch is then applied to the production platform and\n                                                                                verified. The intrusion detection scan is run again to\n 1. How does the agency, including the programs within major components,        validate the patch and ensure no other patches are\n :onfirm that patches have been tested and installed In a timely manner?        required.\n r. Is the agency a member of the Patch Authentication and Distribution\n :apability operated by FedCIRC?\n . If yes, how many active users does the agency have for this service?\n                                                                                Yes\n                                                                                3\n                                                                                              I                            I\n .Has the agency developed and complied with specific configuration                                     J\n equirements that meet their own needs?                                         Yes                             No\n L. Do these aonfiguration requirements address patching of security                                    4\n rulnerabilitieg?                                                               Yes                             No\n\x0c                                                                 Number of incidents reported        Number of incidents reported\nBureau Name             Number of incidents reported             externally to FedClRC               externally to law enforcement\n\n\n\nThere have been no successful incidents during this fiscal year. This result is as of August 27,2003.\n\n\nC. RESPQ)NSIBILITIESOF AGENCY PROGRAM OFFICIALS AND AGENCY CHIEF\n   INFORMATION OFFICERS\n\nFor the purposes of this report, the CNCS program official is the Deputy Chief Information Officer.\n\n\n\n\n                                           Number of                  Number of         Number of\n                        Number of          systems                    systems with      systems for                        Number of\n                        systems            that have                  security control which security                      systems for\n                        assessed for       an up-to-    Number of costs                 controls have        Number of     which\n                        risk and           date IT      systems       integrated into been tested            systems with contingency\n                        assigned a level   security     certified and the life cycle of and evaluated        a contingency plans have\n              Total     or risk            plan         accredited the system           in the last year     plan          been tested\n              Number\nBureau        of          No. of  % of              %      NO.      %      No.      YO        NO.     %          NO.    %       NO.      %\nName          systems    Systems Systems\n\nCNCS          3          3        100%     3      100% 3          100% 3          100%    3         100%     3         100% 3         100%\n\n\n\n\nAgency\nTotal         3          3        100%     3      100%3           100%3           100%    3         100%     3         100% 3         100%\n\n\nDuring 2002-2003, a complete Certification and Accreditation process was executed for the e-Grants\nmodule of E-SPAN, resulting in a total of four for each of the categories defined above. However, now\nthat e-Grants is classified as a module of the E-SPAN major system, the numbers provided above include\ne-Grants as part of E-SPAN.\n\n\n\n\n                                                                                  Has the agency CIO         Do agency POA&Ms\nHas the agency CIO                                 How does the agency CIO        appointed a senior         account for all known\nmaintained an agency-    Did the CIO evaluate the  ensure that bureaus            agency information         agency security\nwide IT security         performance of all agency comply with the agency-        security officer per the   weaknesses including all\nprogram? Y/N             bureauslcomponents? Y/N wide IT security program?        requirements in FISMA?     components?\n                                                   The Deputy CIO acts on                                    No. Currently there are a\n                                                   behalf of the CIO (position                               number of tracking\n                                                   currently vacant) and                                     mechanisms used by\n         Yes                        Yes            fulfills the role of program               Yes            CNCS, based on the type\n\x0cI                             I                         lofficial for all major and\n                                                         general support systems.\n                                                                                    I                               lof issue and area of\n                                                                                                                     responsibility in\n                                                         There are no separate                                       responding to them. It\n                                                         bureaus within CNCS.                                        has been recommended\n                                                         Programs support specific                                   by the FlSMA assessmen\n                                                         CNCS business areas. Al                                     team that CNCS evaluate\n                                                         security-related issues                                     the current process and\n                                                         from program functional                                     tracking mechanisms to\n                                                         area leaders are                                            develop a process that\n                                                         coordinated through the                                     ensures that agency-wide\n                                                         Deputy CIO, OIT and the                                     and system-level\n                                                         Information System                                          POA&Ms account for all\n                                                         Security Office.                                            known security\n                                                                                                                     weaknesses.\n\n\n\n\n                                                            Agency employees with\n    Total                             ~    ~numbert of~   l significant security\n    number of   Agency employees that agency employeesresponsibilities that                                                             Total costs\n    agency      received IT security  with significant IT   received specialized                                                        for providing\n    employees   training in FY03      security              training                                                                    training in\n    in FY03     Number Percentage responsibilities                         Percentage Briefly describe training provided                FY03\n    -                                                       Number\n                                                                                      In additional to the annual security\n                                                                                      awareness training, these individuals\n                                                                                      receive training through FedSec and\n                                                                                      on-line training sites (such as the VPN\n                                                                                      security class through on-line\n                                                                                      webcase), as well as utilizing various\n                                                                                      security organization websites, trade\n                                                                                      shows and publications to remain\n    606         659         109%                 7                 7           100%   aware of current security issues.                     $27K\n\n\n    All employees and contractors that require access to systems or sensitive data must undergo IT security\n    awareness training before obtaining accounts and access to the applicable data. The number of agency\n    employees, as of July 30, 2003, is 606. The number of employees that received training during FY 2003\n    includes current employees and those who received training during this fiscal year, but left the\n    Corporation prior to July 30, 2003. The next formal "annual" training is scheduled for December 2003\n    (FY 2004).\n\n\n\n\n                                          Did the agency program official        Did the agency CIO plan and\n                     Number of business   plan and budget for IT security and    budget for IT security and             Are IT security costs reported\n    Bureau           cases submitted to   integrate security into all of their   integrate security into all of their   in the agency\'s exhibit 53 for\n    Name             OMB in FY05          business cases? Y/N                    business cases? YIN                    each IT investment? Y/N\n    ~CNCS        I                3                       Yes                                    Yes                                 Yes\n\n    CNCS has not completed business cases for FY 2005; therefore, values for the questions in C.4. above\n    were not available at the time of this report. The current plan is to develop three business cases based on\n    the Momentum, WBRS and E-SPAN major applications. A fourth business case may be included for the\n    infrastructure, based on a resolution of current OMB guidance on steady-state systems and architectures\n    previously not considered major applications.\n\x0cAs of the date of this report, specific requirements were not defined within the FY 2005 business cases.\nHistorically, CNCS program officials plan and budget IT security requirements as they apply to each\nbusiness case. However, reporting may be "rolled" into a specific business case due to the consolidated\ninfrastructure that affects the security implementation across one or multiple systems. The method for\ndefining security requirements is dependent upon defined security requirement(s) andlor planned\nexecution of the budget to support them. At this time, there is no specific material to state factually that\nindividual FY 2005 business cases will not contain security information. Thus, the current plan is to state\nthem by business case.\n\x0c                                                                                             Appendix C\n              Corporation for National and Community Service (CNCS) FY 2003 Information Security Program\n\n\nAGENCY RESPONSE TO OIG FY 2003 FlSMA REPORT\n\x0c                                 Cornoralion for       II\n\n\n\n\nSeptember 10,2003\n\nThe Honorable Russell George,\nInspector General\nCorporation for National and Community Sexvice\nDear Mt. George:\n\n        The Corporation has reviewed the draft report Review of the Corporationfor\nNaiional and Community Service Implementation of the Federal Information Security\nManagametzt Act (OIG Audit Report 03-26, dated August 21,2003). The purpose of\nRichard S. Carson & Associates\' (Carson & Associates) work was to review the\nCorporation\'s information systems security program and assess the effectiveness of the\nprogram. The procedures performed by Carson & Associates included sophisticated\nattemptg to penetrate the Corporation\'s systems as both an "outside" hacker and an\n"insider." We note with satisfaction that Carson & Associates found two minor security\nvulnerabilities that were only discovered once they were given access to the network and\nthat they were unsuccessful in their extemal attempts to penetrate the Corporation\'s\nsystems.\n\n       The Corporation is also pleased that, Carson & Associates concluded that the\nCorporation\'s systems security program is effective and efficient. The Corporation has\ntaken the security of its computer resources very seriously and will continue to do so. To\nthis end, the Corporation routinely tests and monitors its systems and contracts with\nindependent EDP consultants to review and test its systems. We also rely on the testing\nand review that was performed by Carson & Associates on behalf of the Office of the\nInspector General and discussed in this report.\n\n         The report cites a single theme which Carson & Associates feels that the\n Corporation should focus upon - documentation. There are five specific\n recommendations for improved documentation. The first of these recommendations is\n for the development of a set of system-level rules of behavior for eSPAN. While we\n believe that the rules of behavior for &PAN are set and followed through a series of\n processes, including the configuration of the system, the Corporation will develop a\n formal document to address this recommendation.\n\n         In the second recommendation, Carson & Associates reiterated an earlier finding\n that has been reported on our quarterly Plans of Action and Milestone (POALkM) reports\n to OMB;but has yet to be completed. This recommendation is to include in the\n Corporation\'s Strategic Plan a summary of its major systems security plans. The\n Corporation\'s Strategic Plan is currently being revised and will include these summaries.\n\n        The final three recommendations center on the process involved in performing\n reviews of the Corporation\'s security program. These recommendations call for the\n development of three documents that would assist in defining the Corporation\'s approach\n\n                         1201 New York Avenue, NW * Washington, DC 20525\n                                                   *\n                               202-606-5000 www.nationalservict org\n                         Senior Corps + AmeriCorps * Learn end Serve America\n\x0cto security reviews. The Corporation agrees with these recommendations and will\ndevelop documents that will define our yearly accreditation process; specifically\ndocument how the Corporation classifies systems and what its major systems are; and\ndevelop an overall POA&M process which will provide single point for tracking fbture\nIT audit recommendations.\n\n\n\n\n       Finally, the Corporation would like to express its appreciation for the work of\nCarson & Associates staff and their flexibility to work around the other pressing\n\n\n\n\n                                             grv\nresponsibilities of the Corporation staff.\n\n\n\n\n                                             Michelle Gui ermin\n                                             chief ~inat)e/~al\n                                                            Officer\n\x0c'